Bug #14397
open
DHCPv4 client (dhclient) does not use 802.1p Priority tagging on DHCP RENEW - Only on Discover and release
0%
Description
Some ISPs using VLANs for service, require DHCPv4/v6 Frames to be 802.1p priority tagged.
pfSense has the option to do this by either:
- Setting VLAN priority tagging in the Interface DHCP options (if you are not using Advanced configuration or a predefined configuration file)
- If using advanced configuration: By adding “vlan-pcp x” in the advanced modifier options.
BUG:
This priority setting in only used in DISCOVER and RELEASE frames sent by dhclient - NOT in RENEW or REBIND.
This is now causing major problems in France where Orange (Major ISP) has upgraded to also requiring the RENEW frames to be properly VLAN Priority tagged.
This causes the uplink to stop working when a renew is due. (About once a day)
I don’t know if the issue is the same in DHCPv6
The issue was patched in OPNsense about a month ago, and they decided to drop the advanced options overwrite of the VLAN priority setting in interface DHCP options.
Instead they let the user choose if VLAN priority should be used via the interface DHCP VLAN Priority setting already available.
If selected it would - apart from adding “vlan-pcp x” to the dhclient config - also set the priority tag in the builtin pffilter rule that passes Interface DHCP client traffic. This adds the tag to RENEW and REBIND frames.
The issue occurs because dhclient uses a bfg interface for DISCOVER and RELEASE - thus respecting the vlan-pcp settings. But for RENEW it uses a simple socket, and that causes it not to be tagged correctly. In pfSense you cannot create a floating match rule to manually tag the traffic that has higher priority than the builtin pass quick rule for the interface DHCP client.
Updated by Tue Madsen 11 months ago
After quite the investigation the above BUG statement is a little more nuanced:
Using the second option (Adding “vlan-pcp x” in advanced mondifier options) has the BUG that RENEW and REBIND frames are not 802.1p priority tagged.
If you are not using the advanced options or a predefined configuration file, and just use the first listed option (Enable DHCPclient VLAN priority tagging), RENEW and REBIND frames are actually priority tagged. This is because this option also adds a “set prio x” statement to the builtin netgate rule that enables the WAN DHCP client to send UDP DHCP frames.
So if you are using advanced configuration or a predefined config file with “vlan-pcp x” in, you can as a workaround also set “Enable DHCPclient VLAN priority tagging” to the same priority. This will make sure RENEWs and REBINDs are tagged correctly.
I still consider this a bug, but now less critical. Perhaps a little UI update to inform users they should do both? - in case there is no desire to create a actual “merge” script of settings and advanced/predefined settings.
Updated by